Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
4
Replies

Ftp data port problem(urgent, help)

bigeric
Level 1
Level 1

‎04-12-2005 04:46 AM - edited ‎03-09-2019 10:55 AM

Dear All,

I am using PIX515E and I should have allow both ftp and ftp-date for both incoming and outgoing. However, I can connect to my internal ftp server from outside but couldn't initiate the data transfer. Is there anything I should pay attention to in the PIX configuration ?

Labels:
0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎04-12-2005 07:56 AM

are thre any access-lists on ur inside interface ?? if so, you ned to permit tcp port 21 from inside to outside...

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq ftp

access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data

fixup protocol ftp 21

try this and let us know...

Raj

0 Helpful

mhussein
Level 4
Level 4

‎04-12-2005 07:57 AM

Hello,

This seems to be a problem with ftp-data port (TCP 20) blocked. Could you post your configs?

Regards,

Mustafa

0 Helpful

sfranklin
Level 1
Level 1

‎04-15-2005 09:13 AM

I am having the exact same issue. Pix 515E 6.3(4)

Clients connect and then time out and drop.

Receiving this error message.

Apr 13 2005 11:13:38: %PIX-4-406002: FTP port command different address: 10.1.1.1(X.X.X.X) to X.X.X.X on interface inside

Apr 13 2005 11:13:39: %PIX-6-106015: Deny TCP (no connection) from X.X.X.X/22510 to X.X.X.X/21 flags PSH ACK on interface outside

I've been fighting this issue for a week. I would be very interesting in your solution.

0 Helpful

fedrodri
Level 1
Level 1
In response to sfranklin

‎04-18-2005 08:18 PM

Hello, all

It seems to me that you're talking about inbound Passive FTP problems, initial connection made, but cannot list directories; it also seems to me that the internal FTP server is responding on the PORT command with its public IP, instead of with the private one. Check on the server settings... Or get some 'captures' from both the inside and outside interfaces, that would help you determine the causes for that. Assuming that you have something like this:

static (inside,outside) ftp-global-ip ftp-local-ip

OK, so here is an example how to get the captures:

access-list ftp-out permit tcp any host ftp-global-ip

access-list ftp-out permit tcp host ftp-global-ip any

access-list ftp-in permit tcp any host ftp-local-ip

access-list ftp-in permit tcp host ftp-local-ip any

capture capout access-list ftp-out interface outside packet-length 1500

capture capin access-list ftp-in interface inside packet-length 1500

Then try to make the inbound connection to the FTP server. To download the capture from the PIX:

http server enable

http ip-address-host-downloading-capture 255.255.255.255 inside

And go to:

https://inside-interface-ip/capture/capin/Pcap

https://inside-interface-ip/capture/capout/Pcap

Make sure that you save the file with a libcap format (*.cap) so you can open it with any protocol analyzer program, like Ethereal. Must likely you will find the server responding on the port command with its public IP. You will see something like:

PORT (a,b,c,d,FF,FF); where a.b.c.d is the IP address [should be the private one] and FF,FF is used to determine the port number to use for the data channel...

Hope that helps!

Federico Rodriguez

0 Helpful
Customers Also Viewed These Support Documents